package com.floragunn.searchguard.sgctl.commands;

import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.searchguard.sgctl.SgctlConfig;
import com.floragunn.searchguard.sgctl.SgctlException;
import com.floragunn.searchguard.sgctl.client.ApiException;
import com.floragunn.searchguard.sgctl.client.FailedConnectionException;
import com.floragunn.searchguard.sgctl.client.InvalidResponseException;
import com.floragunn.searchguard.sgctl.client.SearchGuardRestClient;
import com.floragunn.searchguard.sgctl.client.ServiceUnavailableException;
import com.floragunn.searchguard.sgctl.client.UnauthorizedException;
import java.io.File;
import java.net.SocketException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.http.HttpHost;
import picocli.CommandLine;

/* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/ConnectingCommand.class */
public abstract class ConnectingCommand extends BaseCommand {

    @CommandLine.Option(names = {"-h", "--host"}, description = {"Hostname of the node to connect to"})
    String host;

    @CommandLine.Option(names = {"-E", "--cert"}, description = {"Client certificate for admin authentication"})
    File clientCert;

    @CommandLine.Option(names = {"-p", "--port"}, description = {"REST port to connect to. Default: 9200"})
    Integer serverPort;

    @CommandLine.Option(names = {"--key"}, description = {"Private key for admin authentication"})
    File clientKey;

    @CommandLine.Option(names = {"--key-pass"}, description = {"Password for private key"}, arity = "0..1", interactive = true)
    String clientKeyPass;

    @CommandLine.Option(names = {"--ca-cert"}, description = {"Trusted certificates"})
    File caCert;

    @CommandLine.Option(names = {"-k", "--insecure"}, arity = "0..1", description = {"Do not verify the hostname when connecting to the cluster"})
    Boolean insecure;

    @CommandLine.Option(names = {"--ciphers"}, description = {"The ciphers to be allowed for the TLS connection to the cluster"}, arity = "0..*")
    List<String> ciphers;

    @CommandLine.Option(names = {"--tls"}, description = {"The TLS version to use when connecting to the cluster"})
    String tls;

    public SearchGuardRestClient getClient() throws SgctlException {
        try {
            SgctlConfig.Cluster selectedClusterConfig = getSelectedClusterConfig();
            TLSConfig tlsConfig = getTlsConfig(selectedClusterConfig);
            String host = getHost();
            Integer num = this.serverPort;
            if (selectedClusterConfig != null && host == null) {
                host = selectedClusterConfig.getServer();
            }
            if (selectedClusterConfig != null && num == null) {
                num = Integer.valueOf(selectedClusterConfig.getPort());
            }
            if (host == null) {
                throw new SgctlException("You must specify the server on the command line");
            }
            if (num == null) {
                num = 9200;
            }
            if (this.verbose) {
                System.out.println("Connecting to " + host + ":" + num + " with certificate " + getCertificateInfo(tlsConfig.getClientCertAuthConfig().getCertificateChain()));
            }
            try {
                try {
                    SearchGuardRestClient searchGuardRestClient = new SearchGuardRestClient(new HttpHost(host, num.intValue(), "https"), tlsConfig);
                    searchGuardRestClient.debug(this.debug);
                    System.out.println("Successfully connected to " + host + " as user " + searchGuardRestClient.authInfo().getUserName());
                    return searchGuardRestClient;
                } catch (ApiException | InvalidResponseException e) {
                    throw new SgctlException("Invalid response from server: " + e.getMessage(), e);
                } catch (FailedConnectionException e2) {
                    throw new SgctlException(getHumanReadableErrorMessage(e2), e2);
                }
            } catch (ServiceUnavailableException e3) {
                throw new SgctlException("Server is unavailable: " + e3.getMessage(), e3);
            } catch (UnauthorizedException e4) {
                throw new SgctlException("Server rejected request as unauthorized. Please check the client certificate.", e4);
            }
        } catch (ConfigValidationException e5) {
            throw new SgctlException("Connection settings are invalid:\n" + e5.getValidationErrors(), e5).debugDetail(e5.toDebugString());
        }
    }

    protected TLSConfig getTlsConfig(SgctlConfig.Cluster cluster) throws ConfigValidationException {
        if (cluster != null && this.clientCert == null && this.clientKey == null && this.clientKeyPass == null && this.caCert == null && this.insecure == null) {
            return cluster.getTlsConfig();
        }
        if (cluster == null) {
            if (this.clientCert == null) {
                this.validationErrors.add(new MissingAttribute("--cert"));
            }
            if (this.clientKey == null) {
                this.validationErrors.add(new MissingAttribute("--key"));
            }
            this.validationErrors.throwExceptionForPresentErrors();
            try {
                return new TLSConfig.Builder().clientCert(this.clientCert, this.clientKey, this.clientKeyPass).trust(this.caCert).verifyHostnames(this.insecure != null ? !this.insecure.booleanValue() : true).build();
            } catch (ConfigValidationException e) {
                this.validationErrors.add((String) null, e);
                this.validationErrors.throwExceptionForPresentErrors();
                return null;
            }
        }
        if (cluster == null) {
            return null;
        }
        Map<String, Object> map = cluster.getTlsConfig().toMap();
        Map<String, Object> map2 = cluster.getTlsConfig().getClientCertAuthConfig() != null ? cluster.getTlsConfig().getClientCertAuthConfig().toMap() : new LinkedHashMap<>();
        HashMap hashMap = new HashMap();
        if (this.clientCert != null) {
            map2.put("certificate", "${file:" + this.clientCert.getAbsolutePath() + "}");
            hashMap.put("certificate", "--cert");
        } else if (map2.get("certificate") == null) {
            hashMap.put("certificate", "--cert");
        }
        if (this.clientKey != null) {
            map2.put("private_key", "${file:" + this.clientKey.getAbsolutePath() + "}");
            hashMap.put("private_key", "--key");
        } else if (map2.get("private_key") == null) {
            hashMap.put("private_key", "--key");
        }
        if (this.clientKeyPass != null) {
            map2.put("private_key_password", this.clientKeyPass);
        }
        if (this.caCert != null) {
            map.put("trusted_cas", "${file:" + this.caCert.getAbsolutePath() + "}");
            hashMap.put("trusted_cas", "--ca-cert");
        } else if (map2.get("trusted_cas") == null) {
            hashMap.put("trusted_cas", "--ca-cert");
        }
        if (this.insecure != null) {
            map.put("verify_hostnames", Boolean.valueOf(!this.insecure.booleanValue()));
        }
        if (this.ciphers != null) {
            map.put("enabled_ciphers", this.ciphers);
        }
        map.put("client_auth", map2);
        try {
            return TLSConfig.parse(map);
        } catch (ConfigValidationException e2) {
            this.validationErrors.add((String) null, e2);
            this.validationErrors.mapKeys(hashMap).throwExceptionForPresentErrors();
            return null;
        }
    }

    private String getHumanReadableErrorMessage(FailedConnectionException failedConnectionException) {
        if (failedConnectionException.getCause() instanceof SSLHandshakeException) {
            if (failedConnectionException.getMessage().contains("unable to find valid certification path to requested target")) {
                return "Could not validate server certificate using current CA settings. Please verify that you are using the correct CA certificates. You can specify custom CA certificates using the --ca-cert option.";
            }
        } else if ((failedConnectionException.getCause() instanceof SSLException) && (failedConnectionException.getCause().getCause() instanceof SocketException)) {
            return "Connection failed: " + failedConnectionException.getCause().getCause().getMessage();
        }
        return failedConnectionException.getMessage();
    }

    private String getCertificateInfo(Collection<? extends Certificate> collection) {
        StringBuilder sb = new StringBuilder();
        for (Certificate certificate : collection) {
            if (sb.length() > 0) {
                sb.append(" / ");
            }
            if (certificate instanceof X509Certificate) {
                sb.append(((X509Certificate) certificate).getSubjectDN());
            } else if (certificate != null) {
                sb.append(certificate.getClass().getName());
            } else {
                sb.append("null");
            }
        }
        return sb.toString();
    }

    protected String getHost() {
        return this.host;
    }
}
